Black Duck Software Composition Analysis
Black Duck
Software Composition Analysis
Identify and manage
risk introduced by your
software supply chain
Establish Visibility
Overview
Black Duck is a comprehensive solution for managing security, license compliance, and
code quality risks that come from the use of open source in applications, containers,
and any other software artifact or library. Named a leader in software composition
analysis (SCA) by Forrester, Black Duck gives you unmatched visibility into third-party
dependencies, enabling you to manage risk introduced by your software supply chain.
Establish Software Supply Chain Visibility
? Import third-party
components from SBOMs
Most of the code that makes up commercial applications originates from a third
party, written by an entity outside the control or visibility of the company distributing
or deploying the finished application. Black Duck offers a combination of dependency
discovery techniques to give teams complete visibility of application composition so
they can effectively assess and manage risk.
? Automate scanning with
DevOps integration
? Dependency analysis identifies direct and transitive dependencies declared by
package managers.
? Detect open source in code,
binaries, containers, and
artifacts
? Binary analysis detects dependencies in post-build artifacts, like firmware and
container images, without access to source code.
Manage Risk
? Map dependencies to known
vulnerabilities and health
issues
? Scan for malicious
components and sensitive
information
? Identify license risk and
conflicts
? Prioritize remediation based
on severity
Build Trust
? Snippet analysis matches code snippets, such as those included by AI coding tools,
back to their original open source projects.
? CodePrint analysis identifies dependencies in source files and directories, even
when they¡¯re not declared by package managers.
? Container scanning uses a combination of binary and CodePrint analysis to identify
open source dependencies in container images, layer by layer.
? C/C++ scanning accurately identifies open source dependencies and libraries being
used in C/C++ applications, even where there is no presence of package managers.
Identify and Manage Risk
For every dependency identified, Black Duck conducts an evaluation for associated risk,
then guides prioritization and remediation efforts.
Security Vulnerabilities
? Define custom policy
based on risk tolerance and
customer requirements
Black Duck Security Advisories (BDSAs), powered by the Black Duck KnowledgeBase,
provide timely and actionable alerts on existing and newly disclosed open source
vulnerabilities. These alerts include
? Generate SBOMs with
open source and custom
dependencies
? Critical risk metrics, vulnerability-specific technical insight, and exploit details
? Address supply chain threats
before shipping applications
? CVSS scoring and CWE classification data
? Custom vulnerability risk scoring to match your company risk profile
? Component-level upgrade and remediation guidance, mitigating factors, and
compensating controls
| | 1
BDSAs leverage a combination of human research and AI to discover, analyze, and report on vulnerabilities most likely to impact our
customers. As a result, BDSAs offer a more complete analysis than any public feed, and they do so within hours of a vulnerability
disclosure.
License Risk
Black Duck surfaces the exact license being used by application dependencies, including explicitly declared licenses, sublicenses, and
embedded licenses. Requirements and restrictions associated with each license are extracted and provided in a simplified view, along
with complete license texts and copyright information. Customers can also automatically generate notice files, which are requirements of
almost every open source license.
Component Health
To enable teams to be more proactive in preventing security risks, Black Duck provides metrics that can be used to evaluate the health,
history, community support, origin, and reputation of an open source project.
Malware
Black Duck enables teams to expand their risk evaluation beyond known vulnerabilities. It provides post-build analysis of software
artifacts to detect the presence of malware, such as suspicious files, potentially unwanted applications, protestware, and suspicious file
structures.
Automate Open Source Governance
Configure your open source security and usage policies based on a comprehensive array of criteria, including license type, vulnerability
severity, open source component version, and more. Enforce policies with automatic workflow triggers, notifications, and bidirectional
Jira or Azure integration for accelerated remediation initiation and reporting. Use policy to prevent development teams from using risky
components and to block builds should these components be included in release streams.
Build SBOMs into the Application Life Cycle
With Black Duck, teams can
? Import third-party software bills of materials (SBOMs) to automatically map dependencies to known components and create new
components for custom or commercial dependencies.
? Export SBOMs, containing all open source, custom, and commercial dependencies, in SPDX or CycloneDX formats, to align with
customer, industry, or regulatory requirements. Leverage out-of-the-box templates to meet the appropriate level of sharing detail
specified by the consumer.
? Integrate with SDLC tools to automate SBOM generation and continuously monitor SBOM dependencies for existing or newly
discovered risk.
For information on the languages, package managers, and integrations supported by Black Duck, visit our website.
The Synopsys difference
Synopsys provides integrated solutions that transform the way you build and deliver software, accelerating innovation while addressing
business risk. With Synopsys, your developers can secure code as fast as they write it. Your development and DevSecOps teams can
automate testing within development pipelines without compromising velocity. And your security teams can proactively manage risk and
focus remediation efforts on what matters most to your organization. Our unmatched expertise helps you plan and execute any security
initiative. Only Synopsys offers everything you need to build trust in your software.
For more information about the Synopsys Software Integrity Group, visit us online at software.
?2024 Synopsys, Inc. All rights reserved. Synopsys is a trademark of Synopsys, Inc. in the United States and other countries. A list of Synopsys trademarks is available at
copyright.html . All other names mentioned herein are trademarks or registered trademarks of their respective owners. April 2024.
| | 2
................
................
In order to avoid copyright disputes, this page is only a partial summary.
To fulfill the demand for quickly locating and searching documents.
It is intelligent file search solution for home and business.
Related searches
- duck duck go download install
- download duck duck go
- duck duck go free download
- download duck duck go browser
- duck duck go download
- how to download duck duck go
- duck duck go download for pc
- duck duck go browser download
- duck duck go search engine app
- duck duck goose browser
- body composition analysis chart
- download duck duck go app